The Windows Task Manager may be used to dump the memory space of
lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting
lsass.exe, and clicking “Create dump file”. This saves a dump file to disk with a deterministic name that includes the name of the process being dumped.
This requires filesystem data to determine whether files have been created.
|Technique||Tactic||Level of Coverage|
|Credential Dumping||Credential Access||Low|
Data Model References
Procdump - File Create (Pseudocode)
This base pseudocode looks for file create events where a file with a name similar to lsass.dmp is created by the Windows task manager process.
files = search File:Create lsass_dump = filter files where ( file_name = "lsass*.dmp" and image_path = "C:\Windows\*\taskmgr.exe") output lsass_dump
Procdump - File Create (Splunk, Sysmon native)
A Splunk/Sysmon version of the above pseudocode.
index=__your_sysmon_index__ EventCode=11 TargetFilename="*lsass*.dmp" Image="C:\\Windows\\*\\taskmgr.exe"
Procdump - File Create (Eql, EQL native)
An EQL version of the above pseudocode.
file where file_name == "lsass*.dmp" and process_name == "taskmgr.exe"
Test Case 1
- Open Windows Task Manager as Administrator
- Select lsass.exe
- Right-click on lsass.exe and select “Create dump file”.